From patchwork Thu Jun 14 13:32:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "J. Bruce Fields" X-Patchwork-Id: 10464129 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 10B90603B4 for ; Thu, 14 Jun 2018 13:32:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F33ED285E5 for ; Thu, 14 Jun 2018 13:32:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E71CF2894C; Thu, 14 Jun 2018 13:32:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3588328950 for ; Thu, 14 Jun 2018 13:32:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755298AbeFNNcj (ORCPT ); Thu, 14 Jun 2018 09:32:39 -0400 Received: from fieldses.org ([173.255.197.46]:55048 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754972AbeFNNcj (ORCPT ); Thu, 14 Jun 2018 09:32:39 -0400 Received: by fieldses.org (Postfix, from userid 2815) id B46D0C52; Thu, 14 Jun 2018 09:32:38 -0400 (EDT) Date: Thu, 14 Jun 2018 09:32:38 -0400 To: Steve Dickson Cc: linux-nfs@vger.kernel.org Subject: [PATCH] exports: document change to "insecure" export option Message-ID: <20180614133238.GA24594@fieldses.org> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: "J. Bruce Fields" We're changing the kernel to allow gss requests from high ports even when "secure" is set. If the change gets backported to distro kernels, the kernel version may be an imperfect predictor of the behavior, but I think it's the best we can do. Signed-off-by: J. Bruce Fields --- utils/exportfs/exports.man | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index 4f95f3a2197e..e3a16f6b276a 100644 --- a/utils/exportfs/exports.man +++ b/utils/exportfs/exports.man @@ -131,10 +131,12 @@ this way are ro, rw, no_root_squash, root_squash, and all_squash. understands the following export options: .TP .IR secure -This option requires that requests originate on an Internet port less -than IPPORT_RESERVED (1024). This option is on by default. To turn it -off, specify +This option requires that requests not using gss originate on an +Internet port less than IPPORT_RESERVED (1024). This option is on by default. +To turn it off, specify .IR insecure . +(NOTE: older kernels (before upstream kernel version 4.17) enforced this +requirement on gss requests as well.) .TP .IR rw Allow both read and write requests on this NFS volume. The